Fenrir is a simple IOC scanner bash script. It allows scanning Linux/Unix/OSX systems for the following Indicators of Compromise (IOCs):
Basic characteristics:
Also Read – Cryptondie : A Ransomware Developed For Study Purposes
FENRIR is the 3rd tool after THOR and LOKI. THOR is our full featured APT Scanner with many modules and export types for corporate customers. LOKI is a free and open IOC scanner that uses YARA as signature format.
The problem with both predecessors is that both have certain requirements on the Linux platform. We build THOR for a certain Linux version in order to match the correct libc that is required by the YARA module. LOKI requires Python and YARA installed on Linux to run.
We faced the problem of checking more than 100 different Linux systems for certain Indicators of Compromise (IOCs) without installing an agent or software packages. We already had an Ansible playbook for the distribution of THOR on a defined set of Linux remote systems. This playbook creates a RAM drive on the remote system, copies the local program binary to the remote system, runs it and retrieves the logs afterwards. This ensures that the program’s footprint on the remote system is minimal. I adapted the Ansible playbook for Fenrir. (it is still untested)
Fenrir is still ‘testing’. Please report back errors (and solutions) via the “Issues” section here on github.
If you find a better / more solid / less error-prone solution to the evaluations in the script, please report them back. I am not a full-time bash programmer so I’d expect some room for improvement.
Usage: ./fenrir.sh DIRECTORY
DIRECTORY – Start point of the recursive scan
All settings can be configured in the header of the script.
Step by Step
What Fenrir does is:
Screenshots
Scan Run showing the different match types on a demo directory.
Detect C2 connections
Detect strings in GZIP packed log files
Configuration
Ansible Playbook
Stat issue (regarding the CREATED file stamp on Linux file systems)
Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…
MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…
"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…
CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…
The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…
The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…